Case Study and PPT S Midterm

Midterm Requirements

• Individual Paper:

  In chapter 8 you should have read about the Federal Information Security Management Act (FISMA).  Assume that this Act hasn’t been enacted yet and you are the one that is in charge of either getting this Act passed or in charge of making sure this act doesn’t get passed (You are pro FISMA or against FISMA).  In a 4 to 5 page paper describe FISMA, list the pros and cons, and make a decision on your support or non-support for the act.  Make sure you follow APA format and cite all of your sources.

• Team Presentation:

  Build a PowerPoint presentation on what you just discussed in your paper about FISMA.  Your presentation should contain 10 to 20 slides including the title and reference slides.  When you present your project remember that you are trying to convince people to either approve or disapprove FISMA.

Writing Requirements: 

• Team PowerPoint presentation 10-20 slides
• 4-5 page paper in APA format, for citations and refereneces
• Use the APA template located in the Student Resource Center to complete the assignment.

on time urgent

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Legal Issues in

Information Security

Lesson 8

Federal Government Information

Security and Privacy Regulations

Page 2Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.

Learning Objective

 Identify the key components of the Federal

Information Security Management Act

(FISMA).

Page 3Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.

Key Concepts

 Federal government information security

and

privacy regulation

 Federal Information Security Management

Act

(FISMA)

 Import and export laws for information

technology

 Security challenges facing the federal

government

 Office of Management and Budget (OMB)

Page 4Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.

Information Security Challenges

Facing the Federal Government

 Federal government is largest producer and user

of information in U.S.

 Government computer systems hold:

• Data critical for government operations

• Employment, tax, and citizenship data

• Data on businesses operating in the U.S.

• Data that’s used to protect the U.S. from threats

 Federal IT systems and data in them are

attractive targets for criminals

Page 5Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.

Federal Information Security

Management Act (FISMA)

 Categorizing information and information

systems by mission impact

 Complying with minimum security

requirements for

information systems

 Selecting appropriate security

controls

for

information systems

Page 6Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
Federal Information Security

Management Act (FISMA) (Continued)

 Assessing security controls in information

systems

 Determining security control effectiveness

 Establishing security authorization of

information systems

 Monitoring security controls

 Assuring security authorization of

information systems

Page 7Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.

FISMA Implementation Project

Develop and update security
Standards so comply with FISMA

Provide security reference materials
to support the Risk Management
Framework (RMF)

Apply risk management-based
approach to security controls

Page 8Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.

NIST Risk Management

Framework Process

Categorize IT
systems

Select security
controls

Implement
security
controls

Assess security
controls

Authorize IT
systems

Continuously
monitor security

controls

Page 9Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.

Access Control Models

• Discretion of the
owner

Discretionary
Access Control

(DAC)

• Security labels and
classifications

Mandatory
Access Control

(MAC)

• Job function or role
Role-Based

Access Control
(RBAC)

Page 10Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.

Federal Privacy Laws

• Creation of information security programs

required

• Must review information security risks

• Must implement controls to mitigate risks

• Limits how federal agencies use

personally

identifiable information

• Must review IT systems for privacy

impacts

• Must notify public about their data

collection practices

Page 11Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.

OMB Requirements

 Review and reduce the volume of personally

identifiable information store

 Eliminate unnecessary use of SSNs

 Explore alternatives to using SSN as a personal

identifier

 Develop policies and procedures for individuals

who are authorized to access personally

identifiable information

Page 12Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.

OMB Breach Notification

Breach Notification Plan

Determine
if breach

notification
required

Time for
notification

Source of
the

notification

Contents
of the
notice

Means of
providing
the notice

Who gets
the notice

Page 13Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.

Regulatory Requirements for the Import

and Export of Information Technology

 Department of Commerce

 Export Administration Regulations (EAR)

 Export Administration Act of 1979

 Bureau of Industry and Security

 Commerce Control List (CCL)

 Department of State

 International Traffic in Arms Regulations (ITAR)

 Treasury Department

 Office of Foreign Asset Control (OFAC)

Page 14Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
Regulatory Requirements for the Import
and Export of Information Technology

 Export of Technology or Software

 Release of technology or software subject to the

EAR in a foreign country

 Release of technology or source code subject to

the EAR to a foreign national within the United

States or outside.

 Transfer of source code

 Inspection or oral communication of code

 Violations subject to civil penalties or denial of

export privileges

 Willful violations subject to criminal penalties

Page 15Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.

Summary

 Federal government information security and

privacy regulation

 Federal Information Security Management Act

(FISMA)
 Import and export laws for information
technology
 Security challenges facing the federal
government
 Office of Management and Budget (OMB)